At Otoq, security is foundational — not an afterthought. We handle your business data and your customers' conversations, and we take that responsibility seriously. This page describes how we protect your data and how you can help us keep the platform secure.
Infrastructure Security
Encryption in transit: All data is encrypted using TLS 1.2+ (HTTPS). We enforce HSTS with a max-age of 2 years including subdomains.
Encryption at rest: Database storage is encrypted at rest via Supabase (backed by AWS infrastructure with AES-256 encryption).
Hosting: Application hosted on Vercel with automatic DDoS protection, edge network, and SOC 2 Type II compliance. Database hosted on Supabase (SOC 2 Type II compliant).
Region: Primary deployment in Singapore (sin1) for low-latency APAC access.
Application Security
Row-Level Security (RLS): Every database table enforces row-level security policies ensuring users can only access their own data.
Input sanitization: All user inputs are validated with Zod schemas, HTML-stripped, and sanitized before processing.
Prompt injection detection: Chat messages are scanned for known prompt injection patterns with system-level guardrails.
SSRF protection: URL crawler blocks requests to private IP ranges, cloud metadata endpoints, and internal hostnames.
Rate limiting: Per-visitor and per-agent rate limits via Upstash Redis (production) with in-memory fallback (development).
Auth rate limiting: Brute-force protection on login/signup endpoints (10 attempts per 15 minutes per IP).
No tracking cookies: Only essential authentication cookies are used. No third-party advertising trackers.
Data Privacy
No model training: Your business data and conversations are never used to train AI models. Anthropic (Claude) and OpenAI explicitly do not train on API data.
Data ownership: You retain full ownership of all content you upload. We process it solely to provide the service.
Data deletion: When you delete your account, all associated data (agents, knowledge bases, conversations, leads) is permanently deleted. Backups are purged within 30 days.
Data export: You can export your leads and conversations at any time via the dashboard.
Payment security: We never store credit card details. All payment processing is handled by Lemon Squeezy (our merchant of record), which is PCI DSS compliant.
Global Compliance
We are committed to complying with data protection laws across all jurisdictions we serve. See our Privacy Policy (Region-Specific Addendums) for jurisdiction-specific details.
Region
Regulation
Status
Philippines
Data Privacy Act (RA 10173)
Compliant
EU / EEA
General Data Protection Regulation (GDPR)
Compliant
United Kingdom
UK GDPR + Data Protection Act 2018
Compliant
California, US
CCPA / CPRA
Compliant — no data sales
Brazil
Lei Geral de Proteção de Dados (LGPD)
Compliant
Canada
PIPEDA
Compliant
South Africa
POPIA
Compliant
Singapore
Personal Data Protection Act (PDPA)
Compliant
Australia
Privacy Act 1988 (APPs)
Compliant
Japan
Act on Protection of Personal Information (APPI)
Compliant
No data sales: We do not sell personal information to any third party, ever.
Cookie consent: Analytics tracking only activates after explicit user opt-in via our cookie consent banner.
SOC 2 (via infrastructure): Our infrastructure providers (Vercel, Supabase, Anthropic, OpenAI, Upstash, Sentry, PostHog) maintain SOC 2 Type II certifications.
PCI DSS (via Lemon Squeezy): Payment processing is fully handled by our PCI-compliant merchant of record.
Responsible Disclosure
We welcome security researchers to help us keep Otoq safe. If you discover a vulnerability, please report it responsibly:
Allow us 90 days to address the issue before public disclosure
Do not access, modify, or delete data belonging to other users
Do not perform denial-of-service attacks or social engineering
We commit to acknowledging receipt within 48 hours and providing regular updates on our progress. We will not take legal action against researchers who follow these guidelines.